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The European Data Protection Board and the European Data Protection 
Supervisor 


Having regard to Article 42(2) of the Regulation 2018/1725 of 23 October 2018 on the protection of 
natural persons with regard to the processing of personal data by the Union institutions, bodies, 
offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 
45/2001 and Decision No 1247/2002/EC, 


Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as 
amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018, 


Having regard to the request for a Joint Opinion of the European Data Protection Supervisor and of 
the European Data Protection Board of 3 February 2022 regarding a Proposal for a Regulation of the 
European Parliament and of the Council amending Regulation (EU) 2021/953 on a framework for the 
issuance, verification and acceptance of interoperable COVID-19 vaccination, test and recovery 
certificates (EU Digital COVID Certificate) to facilitate free movement during the COVID-19 pandemic 
as well as regarding a Proposal for a Regulation of the European Parliament and of the Council 
amending Regulation (EU) 2021/954 on a framework for the issuance, verification and acceptance of 
interoperable COVID-19 vaccination, test and recovery certificates (EU Digital COVID Certificate) with 
regardto third-country nationals legally staying or residing in the territories of Member States during 
the COVID-19 pandemic, 


HAVE ADOPTED THE FOLLOWING JOINT OPINION 


1 BACKGROUND 


On 3 February 2022, the Commission adopted a Proposal for a Regulation of the European Parliament 
and of the Council amending Regulation (EU) 2021/953 on a framework for the issuance, verification 
and acceptance of interoperable COVID-19 vaccination, test and recovery certificates (EU Digital 
COVID Certificate) to facilitate free movement during the COVID-19 pandemic (the “First Proposal”). 
The Commission proposes to base the first Proposal on Article 21(2) of the Treaty on the Functioning 
of the European Union (the “TFEU”) according to which every EU citizen has the right to move and 
reside freely within the territory of the Member States?, subject to the limitations and conditions laid 
down in the Treaties and by the measures adopted to give them effect. 


On 3 February 2022, the Commission also adopted a Proposal for a Regulation of the European 
Parliament and of the Council amending Regulation (EU) 2021/954 on a framework for the issuance, 
verification and acceptance of interoperable COVID-19 vaccination, test and recovery certificates (EU 
Digital COVID Certificate) with regard to third-country nationals legally staying or residing in the 
territories of Member States during the COVID-19 pandemic amending Regulation (EU) 2021/954 on 
a framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, test 
and recovery certificates (EU Digital COVID Certificate) with regard to third-country nationals legally 
staying or residing in the territories of Member States during the COVID-19 pandemic (the “Second 


1 References to “Member States” made throughout this document should be understoodas references to “EEA 
Member States”, and references to the "EU" should be understood as references to the "EEA". 
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Proposal”, and together with the First Proposal, the “Proposals”). The Commission proposes to base 
the Second Proposal on Article 77(2)(c) TFEU, according to which the Union shall develop policies 
setting out the conditions under which nationals of third countries shall have the freedom to travel 
within the Union. 


The European Data Protection Board (the “EDPB”) and the European Data Protection Supervisor (the 
“EDPS”) note that the Proposals seek to extend the application of Regulation 2021/953 (EU Digital 
COVID Certificate) and, by extension, of Regulation 2021/954 by 12 months, as well as prolong for the 
same time the power of the Commission to adopt delegated acts pursuant to Regulation (EU) 
2021/953 (the “Regulation”). 


In addition to extending the application of the EU Digital COVID Certificate, the Proposals aim to 
amend certain provisions of the Regulation: 


1) A broadening of the definition of SARS-CoV-2 tests that rely on the detection of viral proteins 
(antigens) to include immunoassays performed in a laboratory setting and not only rapid antigen tests 
that give results in less than 30 minutes; 


2) An explicit clarification that vaccination certificates are to contain the number of doses 
administered tothe holder, regardless of the Member State in which they have been administered, to 
make sure that the overall number actually administered is accurately reflected; 


3) The inclusion of vaccination certificates issued for a COVID-19 vaccine undergoing clinical trials 
among those certificates that may be accepted by Member Statesin order to waive restrictions to free 
movement; and 


4) The correction of a wrong cross-reference in Article 13(2) of Regulation (EU) 2021/953. 


On 3 February 2022, the Commission requested a Joint Opinion of the EDPB andthe EDPS on the basis 
of Article 42(2) of Regulation (EU) 2018/1725 (the “EUDPR”)? on the Proposals. 


2 SCOPE OF THE OPINION 


The Proposals are of particular importance due totheir major impact on the protection of individuals’ 
rights and freedoms with regard to the processing of their personal data. The scope of this Joint 
Opinion is limited to the aspects of the Proposals relating to the protection of personal data, which 
represent a fundamental aspect of the Proposals. 


For the sake of clarity, as the Second Proposal is limited to ensuring that Member States apply the 
rules laid down in the First Proposal to third country nationals who reside or stay legally in their 
territory and are entitled to travel to other Member States in accordance with Union law, the EDPB 
and the EDPS will provide their recommendations with a focus on the First Proposal. This being said, 


2 Regulation (EU) 2018/1725 ofthe European Parliament and of the Council of 23 October 2018 onthe protection 
of natural persons with regardto the processing of personal data by the Union institutions, bodies, offices and 
agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 
1247/2002/EC (OJ L295, 21.11.2018, p. 39). 
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the general comments and considerations made in this Joint Opinion are fully applicable to both 
Proposals. 


Not entering into other important ethical and societal aspects on which the Proposals may have an 
impact in terms of compliance with fundamental rights, the EDPB and the EDPS highlight that it is 
essential that the Proposals are consistent and do not conflict in any manner with the application of 
the General Data Protection Regulation (the “GDPR”)?. This is not only for the sake of legal certainty, 
but also to avoid that the Proposals have the effect of directly or indirectly jeopardizing the 
fundamental right to the protection of personal data, as established under Article 16 TFEU and Article 
8 of the Charter of Fundamental Rights of the European Union (the “Charter”). 


The EDPB and the EDPS are aware of the ongoing legislative process of the Proposals and stress their 
availability to the co-legislators to provide further advice and recommendations throughout this 
process and to ensure in particular legal certainty for natural persons and due protection of personal 
data for data subjects in line with the TFEU, the Charter and EU data protection legislation. 


3 COMMENTS 


3.1 General comments 


The EDPB and the EDPS recall that compliance with data protection rules does not constitute an 
obstacle for fighting the COVID-19 pandemic and that, at the same time, the general principles of 
effectiveness, necessity and proportionality must guide any measure adopted by Member States or 
EU institutions that involve processing of personal data to fight COVID-19*. A regular assessment on 
any measures to fight the COVID-19 pandemic should take place, having regard to the relevant 
scientific evidence and additional measures in place, in order to continuously evaluate which actions 
remain effective, necessary and proportionate. Additionally, the EDPB and EDPS also recall the 
principles relating to processing of personal data laid down in Article 5 of the GDPR, more specifically 
the principles of storage limitation, purpose limitation, as well as the principle of transparency. 


Given the ongoing threat posed by SARS-CoV-2, including by its variant ‘Omicron’, whose increased 
infectiousness has resulted in very high case notification rates across the European Union and places 
considerable strain on healthcare systems and society; the impossibility to predict the impact of a 
possible increase in infections in the second half of 2022; and the risk of a prolongation of the 
pandemic as a result of the emergence of new SARS-CoV-2 variants, the EDPB and the EDPS 
understand the need to extend the applicability of the Regulation. 


However, the EDPB and the EDPS underline that any restriction to the free movement of persons 
within the European Union put in place to limit the spread of SARS-CoV-2, including the requirement 
to present EU Digital COVID Certificates, should be lifted as soon as the epidemiological situation 


3 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of 
natural persons with regard to the processing of personal data and on the free movement of such data, and 
repealing Directive 95/46/EC (General Data Protection Regulation), OJ L119, 4.5.2016, p. 1. 

4 See also EDPB Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the 
COVID-19 outbreak, para. 4; EDPB s Statement on the processing of personaldatain the context of the COVID- 
19 outbreak. Adopted on 19 March 2020. 
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allows. Moreover, the EDPB and EDPS will pay special attention to the evolution of the COVID-19 
pandemic and in particular to the use of personal data following the end of the pandemic. 


The EDPB and the EDPS take note that the First Proposal does not alter substantially the existing 
provisions of the Regulation with regard to the processing of personal data. 


The EDPB and the EDPS thus welcome that the GDPR will continue to apply to the processing of 
personal data carried out when implementing the Regulation. 


3.2 Specific comments 


3.2.1 Lack of an evidential basis for the assessment of the necessity and proportionality of 
the Proposal 


The EDPB and the EDPS take note that the Commission did not carry out an impact assessment for 
the Proposals. According to the Commission, this is due to the urgency and the limited scope of the 
Proposals themselves?. 


The EDPB and the EDPS recall that the original proposal for the Regulation was not accompanied by 
an impact assessment. In their comments made in the Joint Opinion 04/2021 on the Digital Green 
Certificate, the EDPB and the EDPS underlined the lack of an impact assessment accompanying the 
original proposal and pointed out that such animpact assessment would have provided substantiation 
as to the impact of the measures being adopted as well as to the effectiveness of already existing less 
intrusive measures°®. 


The EDPB and the EDPS take note of the urgency of the First Proposal, given that, in the absence of an 
extension of the applicability of the Regulation, the latter would cease to apply on 30 June 2022. 


Nevertheless, also given the epidemiological developments in relationto COVID-19 in recent months, 
the need for an extension of the applicability of the Regulation, and by extension to Regulation 
2021/954 regarding third-country nationals, could have been anticipated, and a more thorough 
assessment of the impact on fundamental rights, including on the right to data protection, should have 
been carried out. 


In addition, the EDPB and the EDPS also highlight that, in line with Article 16 (2) of the Regulation, the 
Commission shall submit, by 31 March 2022, a report to the European Parliament and the Council on 
the application of the Regulation, containing in particular an assessment of the impact of the 
Regulation on the facilitation of free movement, fundamental rights and non-discrimination, as well 
ason the protection of personal data during the COVID-19 pandemic. The EDPB and the EDPS strongly 
consider that the Proposal should be accompanied by the abovementioned report, as foreseen in 
the same Article of the Regulation, in order to provide a clear justification on the necessity and 
proportionality of the First Proposal, taking into account, amongst other things, the evolution of the 
epidemiological situation with regard to the COVID-19 pandemic together with the impact on 


> See e.g. Explanatory Memorandum of the draft Proposal. 

6 EDPB-EDPS Joint Opinion 04/2021 on the Proposal for a Regulation of the European Parliament and of the 
Council on a framework for the issuance, verification and acceptance of interoperable certificates on 
vaccination, testing and recovery to facilitate free movement during COVID-19 pandemic (Digital Green 
Certificate), para. 16. 
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fundamental rights and non-discrimination notably on the basis of the possession of a specific 
category of a medical certificate”. In addition, the EDPB and the EDPS are of the view that the report 
should also address other technical issues such as the security of personal data relatedto the use of 
the certificates that have arisen when applying the Regulationin practice. 


As mentioned above, the EDPB and the EDPS, in this regard, stress the need to continuously evaluate 
which measures remain effective, necessary and proportionate as regards the purpose ofthe fight 
against the COVID-19 pandemic. Moreover, the EDPB and the EDPS recall the legal imperative for 
the data protection principles under Article 5 GDPR to be continuously applied and integrated in 
any personaldata processing operation. 


3.2.2 Modifications to current data fields 


The First Proposal contains an explicit clarification that vaccination certificates are to contain the 
number of doses administered to the holder, regardless of the Member State in which each dose has 
been administered, to accurately reflect the overall number of doses administered. 


To this end, the First Proposal seeks to amend paragraph 2, point (b) of Article 5 of the Regulation as 
follows [proposed changes highlighted]: “information about the COVID-19 vaccine and the number of 
doses administered to the holder, regardless of the Member State in which they have been 
administered” . 


In the specific case described above, the EDPB and the EDPS understand that the proposed change 
seeks to address situations where individuals have received vaccination doses in different Member 
States. Therefore, the proposed change seems to be limited to what is strictly necessary and does not 
raise particular concerns from a data protection perspective. 


This would however be different should the Commission seek to substantially modify the current data 
fields. In this context, the EDPB and the EDPS recall their previous position that any modification of 
data fields might require a re-evaluation of the risks to fundamental rights and that only more 
detailed data fields (sub-categories of data) falling under the already defined categories of data 
should be added through the adoption of delegated acts’. 


Additionally, the EDPB and the EDPS note that the First Proposal provides that persons participating 
in clinical trials for the development of COVID-19 vaccines are also eligible to receive a COVID-19 
vaccination certificate (EUDCC). For the sake of legal certainty, the EDPB and the EDPS consider that 
the First Proposal should clarify whether the information that a data subject has participated in a 
clinical trial would or would not be added to the categories of data listed in Article 5(2) of the 
Regulation. Should such category of data be added, the EDPB and the EDPS refer to the 
recommendations put forward in paragraph 41 of the EDPB-EDPS Joint Opinion 04/2021 and recalled 
in paragraph 23 of the current Opinion. 


The EDPB and the EDPS further recall paragraph 39 of the Joint Opinion, in which the EDPB and the 
EDPS note that "(...) an approach supporting differently comprehensive data sets and QR codes can 
improve data minimisation in different use cases." Should the Digital COVID Certificate recording the 
three doses, or any further possible doses, be used for purposes other than freedom of movement, 


7 See Article 3(7) of the Regulation. 
8 EDPB-EDPS Joint Opinion 04/2021, para. 41. 
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the necessary categories of personal data included in the QR code must be reassessed and different 
technical solutions improving data minimisation in different use cases may be needed. The EDPB and 
the EDPS therefore invite the Commission to assist the Member States in developing such technical 
specifications?. 


Brussels, 14 March 2022 


For the European Data Protection Supervisor For the European Data Protection Board 
The European Data Protection Supervisor The Chair 
(Wojciech Wiewiorowski) (Andrea Jelinek) 


2 See Formal Comments of the EDPS on the draft Commission Implementing Decision (EU) amending 
Implementing Decision (EU) 2021/1073 laying down technical specifications and rules for the implementation 
of the trust framework for the EU Digital COVID Certificate established by Regulation (EU) 2021/953 of the 
European Parliament and of the Council, 18 October 2021 https ://edps.europa.eu/system/files/2021-10/2021- 


0943%20Formal comments EUDCC _ en.pdf) 
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